Build a Better Firewall-Linux HA Firewall Tutorial

Tired of maintaining your expensive commercial firewalls? Check out how combining Firewall Builder with a Linux HA firewall pair can provide a big solution at a low price.

About Firewall Builder

Originally started in 2000, Firewall Builder is an open-source project with
thousands of users around the world using it to manage production
firewalls. In addition to iptables, Firewall Builder also includes support
for configuring BSD pf, Cisco ASA, PIX and FWSM firewalls, Cisco
router access, ipfw and ipfilter firewalls. Commercial licenses are
available for prebuilt MS Windows and Mac OS X packages.

The focus of this article is using Firewall Builder's cluster feature
to manage a single firewall policy for the HA firewall pair, but let's
start with a quick overview of a few key Firewall Builder concepts.

Objects form the foundation of the Firewall Builder GUI. Objects are
used to represent common firewall rule elements, such as IP networks, IP
hosts and TCP and UDP protocols. Firewall Builder comes with hundreds of
predefined objects for common elements, like well-known TCP services. The
same object can be used in firewall rules on multiple firewalls, letting
users define an object once and use it as many times as needed.

After a firewall object has been created and rules have been configured
for that firewall, Firewall Builder generates a script that will be
run on the target firewall server to implement the firewall rules that
were defined in the GUI. The process of creating this script is called
compiling the firewall rules. The generated firewall script
also can be used to manage interface IP addresses, static routes and various
system settings.

For more information about Firewall Builder basics, go to the
NetCitadel Web site (see Resources), which includes a comprehensive Users
Guide.

Now, let's dive in to configuring the firewall cluster with Firewall
Builder. In order to create an HA firewall pair, called a cluster in
Firewall Builder, you first need to configure the
individual firewall objects that will be members of the cluster.

Creating Firewall Objects in Firewall Builder

Click the Create new firewall button in the middle of the main
window to launch the new firewall wizard that provides a series of
dialog windows to walk you through the process of creating a new
firewall object.

Set the firewall name (lj-fw-1) and platform type (iptables) in the first
dialog and click the Next button. Leave the default setting of
“Configure interfaces manually” on the next dialog window, and click
the Next button. The final dialog window is where the interfaces
for the firewall are defined. Follow the steps shown below to add the
interfaces for the lj-fw-1 firewall.

Step 1: click the green + sign to create a new interface:

Set the interface name to “eth0”.

Set the interface label to “outside”.

Click the Add address button.

Enter 192.168.1.2 with Netmask of 255.255.255.0.

Step 2: click the green + sign to create a new interface, and
repeat the steps from Step 1 to configure eth1 (“eth1”,
“inside”, 10.1.1.2,
255.255.255.0).

Step 3: click the green + sign to create a new interface, and
repeat the steps from Step 1 to configure eth2 (“eth2”,
“synch”, 192.168.100.2,
255.255.255.0).

Step 4: click the green + sign to create a new interface, and
repeat the steps from Step 1 to configure lo (“lo”,
“loopback”, 127.0.0.1,
255.0.0.0).

Figure 2 shows an example of the interface dialog window after the first
interface, eth0, has been defined. Once all interfaces are configured,
click the Finish button to create the firewall object.

Figure 2. The Set Interface Dialog Window for New Firewall Wizard

The newly created firewall object will be displayed in the object tree
in the left object tree panel. Right-click on the lj-fw-1 object and
select Duplicate→Place in Library User from the menu. This creates
an exact copy of lj-fw-1 in the object tree and opens it for editing in
the editor panel at the bottom of the screen.

Rename the newly created firewall object to lj-fw-2. Click
“Yes”
on the warning message that is displayed about changing the name of all
child objects. The lj-fw-2 firewall object will show in the object tree
with all its child objects expanded.

When the firewall is duplicated, the interface IP addresses on the new
firewall are the same as the interface IP addresses on the original
firewall. Update the interface IP addresses to match the correct IP
addresses for the eth0 interface on the lj-fw-2 firewall as shown
in Figure 3. Repeat this process for IP addresses of interfaces eth1
and eth2.

Figure 3. Changing Interface IP Addresses on the Copied Firewall

The final step is to identify the interface that will be used to manage
each of the lj-fw-1 and lj-fw-2 firewalls. This will be used later by
the installer to determine which IP address to use to connect to the
firewall. Double-click on the interface object named “eth1” of
the lj-fw-1 firewall to open it for editing and check the box labeled
“Management interface” in the editor panel. Repeat the process for
the lj-fw-2 firewall.